Wired Intelligent Edge

I am wanting to restrict access to our OS-CX line switches (Aruba 6300) to just our Network Support team's laptops, their assigned VMs and our Orion server for SNMP.   I created an ACL on the VRF for SSH and HTTPS for the 6 workstations plus our Orion server on one of our 6 closets as a test (that closet is on VLAN 111 instead of the VLAN 211).  When I go to test this I can access the switch stack from my laptop with a static IP of 211.23 and can access it from my VM with a static of 152.11 and I am unable to access it via WiFi (VLAN 22), however I go to another workstation on VLAN 211 and I can access it.  Does the ACL to the VRF only restrict by networks and not single IPs?  I wanted to test on this closet first as it has the least number of connections and I don't have another OS-CX switch in my lab to test with.  If I can verify this works, I will copy it to our Core switches too.

Please check this post. One difference there is that the ACL is also applied to the mgmt VRF, other is that with this ACL you block all SSH and HTTPS traffic across the default VRF, because you do a deny to any in lines 40-70, not just to the switch IP.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Oct 24, 2022 09:30 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

I am wanting to restrict access to our OS-CX line switches (Aruba 6300) to just our Network Support team's laptops, their assigned VMs and our Orion server for SNMP.   I created an ACL on the VRF for SSH and HTTPS for the 6 workstations plus our Orion server on one of our 6 closets as a test (that closet is on VLAN 111 instead of the VLAN 211).  When I go to test this I can access the switch stack from my laptop with a static IP of 211.23 and can access it from my VM with a static of 152.11 and I am unable to access it via WiFi (VLAN 22), however I go to another workstation on VLAN 211 and I can access it.  Does the ACL to the VRF only restrict by networks and not single IPs?  I wanted to test on this closet first as it has the least number of connections and I don't have another OS-CX switch in my lab to test with.  If I can verify this works, I will copy it to our Core switches too.

Thank you for this.  I added the following with no new results:

80 deny any any {IP of my switch} 

This is the ip of VLAN 1

I can't access the switch while on wifi but I can from a different pc on the same network as my laptop (VLAN 211)
Original Message:
Sent: Oct 24, 2022 10:00 AM
From: Herman Robers
Subject: Restrict access to Network Team static IPs only

Please check this post. One difference there is that the ACL is also applied to the mgmt VRF, other is that with this ACL you block all SSH and HTTPS traffic across the default VRF, because you do a deny to any in lines 40-70, not just to the switch IP.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Oct 24, 2022 09:30 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

I am wanting to restrict access to our OS-CX line switches (Aruba 6300) to just our Network Support team's laptops, their assigned VMs and our Orion server for SNMP.   I created an ACL on the VRF for SSH and HTTPS for the 6 workstations plus our Orion server on one of our 6 closets as a test (that closet is on VLAN 111 instead of the VLAN 211).  When I go to test this I can access the switch stack from my laptop with a static IP of 211.23 and can access it from my VM with a static of 152.11 and I am unable to access it via WiFi (VLAN 22), however I go to another workstation on VLAN 211 and I can access it.  Does the ACL to the VRF only restrict by networks and not single IPs?  I wanted to test on this closet first as it has the least number of connections and I don't have another OS-CX switch in my lab to test with.  If I can verify this works, I will copy it to our Core switches too.

Hi, I think the issue is that you'are using /24 in your statements instead of /32 that is used for a single IP.

Try changind the statement to /32 and let us know.

I hope this helps
Original Message:
Sent: Oct 24, 2022 11:20 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

Thank you for this.  I added the following with no new results:

80 deny any any {IP of my switch}

This is the ip of VLAN 1

I can't access the switch while on wifi but I can from a different pc on the same network as my laptop (VLAN 211)
Original Message:
Sent: Oct 24, 2022 10:00 AM
From: Herman Robers
Subject: Restrict access to Network Team static IPs only

Please check this post. One difference there is that the ACL is also applied to the mgmt VRF, other is that with this ACL you block all SSH and HTTPS traffic across the default VRF, because you do a deny to any in lines 40-70, not just to the switch IP.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Oct 24, 2022 09:30 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

I am wanting to restrict access to our OS-CX line switches (Aruba 6300) to just our Network Support team's laptops, their assigned VMs and our Orion server for SNMP.   I created an ACL on the VRF for SSH and HTTPS for the 6 workstations plus our Orion server on one of our 6 closets as a test (that closet is on VLAN 111 instead of the VLAN 211).  When I go to test this I can access the switch stack from my laptop with a static IP of 211.23 and can access it from my VM with a static of 152.11 and I am unable to access it via WiFi (VLAN 22), however I go to another workstation on VLAN 211 and I can access it.  Does the ACL to the VRF only restrict by networks and not single IPs?  I wanted to test on this closet first as it has the least number of connections and I don't have another OS-CX switch in my lab to test with.  If I can verify this works, I will copy it to our Core switches too.

I can try this, but our network is /24 not /32.  What is bugging me the most is the fact I can't access it from another VLAN but if I'm on the same 211 VLAN I can access it.
Original Message:
Sent: Oct 25, 2022 02:19 AM
From: Ulises Cazares
Subject: Restrict access to Network Team static IPs only

Hi, I think the issue is that you'are using /24 in your statements instead of /32 that is used for a single IP.

Try changind the statement to /32 and let us know.

I hope this helps
Original Message:
Sent: Oct 24, 2022 11:20 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

Thank you for this.  I added the following with no new results:

80 deny any any {IP of my switch}

This is the ip of VLAN 1

I can't access the switch while on wifi but I can from a different pc on the same network as my laptop (VLAN 211)
Original Message:
Sent: Oct 24, 2022 10:00 AM
From: Herman Robers
Subject: Restrict access to Network Team static IPs only

Please check this post. One difference there is that the ACL is also applied to the mgmt VRF, other is that with this ACL you block all SSH and HTTPS traffic across the default VRF, because you do a deny to any in lines 40-70, not just to the switch IP.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Oct 24, 2022 09:30 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

I am wanting to restrict access to our OS-CX line switches (Aruba 6300) to just our Network Support team's laptops, their assigned VMs and our Orion server for SNMP.   I created an ACL on the VRF for SSH and HTTPS for the 6 workstations plus our Orion server on one of our 6 closets as a test (that closet is on VLAN 111 instead of the VLAN 211).  When I go to test this I can access the switch stack from my laptop with a static IP of 211.23 and can access it from my VM with a static of 152.11 and I am unable to access it via WiFi (VLAN 22), however I go to another workstation on VLAN 211 and I can access it.  Does the ACL to the VRF only restrict by networks and not single IPs?  I wanted to test on this closet first as it has the least number of connections and I don't have another OS-CX switch in my lab to test with.  If I can verify this works, I will copy it to our Core switches too.

Changing the netmask to /32 worked.   I am still green to networking and didn't fully understand why you suggested the /32 but I get it now.  The /32 only allows that one host instead of the entire network.  Thank you for the suggestion and input.
Original Message:
Sent: Oct 25, 2022 10:23 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

I can try this, but our network is /24 not /32.  What is bugging me the most is the fact I can't access it from another VLAN but if I'm on the same 211 VLAN I can access it.
Original Message:
Sent: Oct 25, 2022 02:19 AM
From: Ulises Cazares
Subject: Restrict access to Network Team static IPs only

Hi, I think the issue is that you'are using /24 in your statements instead of /32 that is used for a single IP.

Try changind the statement to /32 and let us know.

I hope this helps
Original Message:
Sent: Oct 24, 2022 11:20 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

Thank you for this.  I added the following with no new results:

80 deny any any {IP of my switch}

This is the ip of VLAN 1

I can't access the switch while on wifi but I can from a different pc on the same network as my laptop (VLAN 211)
Original Message:
Sent: Oct 24, 2022 10:00 AM
From: Herman Robers
Subject: Restrict access to Network Team static IPs only

Please check this post. One difference there is that the ACL is also applied to the mgmt VRF, other is that with this ACL you block all SSH and HTTPS traffic across the default VRF, because you do a deny to any in lines 40-70, not just to the switch IP.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Oct 24, 2022 09:30 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

I am wanting to restrict access to our OS-CX line switches (Aruba 6300) to just our Network Support team's laptops, their assigned VMs and our Orion server for SNMP.   I created an ACL on the VRF for SSH and HTTPS for the 6 workstations plus our Orion server on one of our 6 closets as a test (that closet is on VLAN 111 instead of the VLAN 211).  When I go to test this I can access the switch stack from my laptop with a static IP of 211.23 and can access it from my VM with a static of 152.11 and I am unable to access it via WiFi (VLAN 22), however I go to another workstation on VLAN 211 and I can access it.  Does the ACL to the VRF only restrict by networks and not single IPs?  I wanted to test on this closet first as it has the least number of connections and I don't have another OS-CX switch in my lab to test with.  If I can verify this works, I will copy it to our Core switches too.

One last follow-up question.  I copied this ACL to our 8325 core switches and it shows applied, however I can still access the switch from another computer on that VLAN, is there something different between the 8325 and the 6300 that this ACL works on?
Original Message:
Sent: Oct 26, 2022 10:54 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

Changing the netmask to /32 worked.   I am still green to networking and didn't fully understand why you suggested the /32 but I get it now.  The /32 only allows that one host instead of the entire network.  Thank you for the suggestion and input.
Original Message:
Sent: Oct 25, 2022 10:23 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

I can try this, but our network is /24 not /32.  What is bugging me the most is the fact I can't access it from another VLAN but if I'm on the same 211 VLAN I can access it.
Original Message:
Sent: Oct 25, 2022 02:19 AM
From: Ulises Cazares
Subject: Restrict access to Network Team static IPs only

Hi, I think the issue is that you'are using /24 in your statements instead of /32 that is used for a single IP.

Try changind the statement to /32 and let us know.

I hope this helps
Original Message:
Sent: Oct 24, 2022 11:20 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

Thank you for this.  I added the following with no new results:

80 deny any any {IP of my switch}

This is the ip of VLAN 1

I can't access the switch while on wifi but I can from a different pc on the same network as my laptop (VLAN 211)
Original Message:
Sent: Oct 24, 2022 10:00 AM
From: Herman Robers
Subject: Restrict access to Network Team static IPs only

Please check this post. One difference there is that the ACL is also applied to the mgmt VRF, other is that with this ACL you block all SSH and HTTPS traffic across the default VRF, because you do a deny to any in lines 40-70, not just to the switch IP.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Oct 24, 2022 09:30 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

I am wanting to restrict access to our OS-CX line switches (Aruba 6300) to just our Network Support team's laptops, their assigned VMs and our Orion server for SNMP.   I created an ACL on the VRF for SSH and HTTPS for the 6 workstations plus our Orion server on one of our 6 closets as a test (that closet is on VLAN 111 instead of the VLAN 211).  When I go to test this I can access the switch stack from my laptop with a static IP of 211.23 and can access it from my VM with a static of 152.11 and I am unable to access it via WiFi (VLAN 22), however I go to another workstation on VLAN 211 and I can access it.  Does the ACL to the VRF only restrict by networks and not single IPs?  I wanted to test on this closet first as it has the least number of connections and I don't have another OS-CX switch in my lab to test with.  If I can verify this works, I will copy it to our Core switches too.

Hi, Can you show us the applied ACL in the 8325? 


Original Message:
Sent: Oct 26, 2022 03:59 PM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

One last follow-up question.  I copied this ACL to our 8325 core switches and it shows applied, however I can still access the switch from another computer on that VLAN, is there something different between the 8325 and the 6300 that this ACL works on?
Original Message:
Sent: Oct 26, 2022 10:54 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

Changing the netmask to /32 worked.   I am still green to networking and didn't fully understand why you suggested the /32 but I get it now.  The /32 only allows that one host instead of the entire network.  Thank you for the suggestion and input.
Original Message:
Sent: Oct 25, 2022 10:23 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

I can try this, but our network is /24 not /32.  What is bugging me the most is the fact I can't access it from another VLAN but if I'm on the same 211 VLAN I can access it.
Original Message:
Sent: Oct 25, 2022 02:19 AM
From: Ulises Cazares
Subject: Restrict access to Network Team static IPs only

Hi, I think the issue is that you'are using /24 in your statements instead of /32 that is used for a single IP.

Try changind the statement to /32 and let us know.

I hope this helps
Original Message:
Sent: Oct 24, 2022 11:20 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

Thank you for this.  I added the following with no new results:

80 deny any any {IP of my switch}

This is the ip of VLAN 1

I can't access the switch while on wifi but I can from a different pc on the same network as my laptop (VLAN 211)
Original Message:
Sent: Oct 24, 2022 10:00 AM
From: Herman Robers
Subject: Restrict access to Network Team static IPs only

Please check this post. One difference there is that the ACL is also applied to the mgmt VRF, other is that with this ACL you block all SSH and HTTPS traffic across the default VRF, because you do a deny to any in lines 40-70, not just to the switch IP.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Oct 24, 2022 09:30 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

I am wanting to restrict access to our OS-CX line switches (Aruba 6300) to just our Network Support team's laptops, their assigned VMs and our Orion server for SNMP.   I created an ACL on the VRF for SSH and HTTPS for the 6 workstations plus our Orion server on one of our 6 closets as a test (that closet is on VLAN 111 instead of the VLAN 211).  When I go to test this I can access the switch stack from my laptop with a static IP of 211.23 and can access it from my VM with a static of 152.11 and I am unable to access it via WiFi (VLAN 22), however I go to another workstation on VLAN 211 and I can access it.  Does the ACL to the VRF only restrict by networks and not single IPs?  I wanted to test on this closet first as it has the least number of connections and I don't have another OS-CX switch in my lab to test with.  If I can verify this works, I will copy it to our Core switches too.

Here is the current Access-Lists on the 8325.  The Network_Team_Access is a copy / paste from the 6300s.
Original Message:
Sent: Oct 27, 2022 10:02 AM
From: Ulises Cazares
Subject: Restrict access to Network Team static IPs only

Hi, Can you show us the applied ACL in the 8325?


Original Message:
Sent: Oct 26, 2022 03:59 PM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

One last follow-up question.  I copied this ACL to our 8325 core switches and it shows applied, however I can still access the switch from another computer on that VLAN, is there something different between the 8325 and the 6300 that this ACL works on?
Original Message:
Sent: Oct 26, 2022 10:54 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

Changing the netmask to /32 worked.   I am still green to networking and didn't fully understand why you suggested the /32 but I get it now.  The /32 only allows that one host instead of the entire network.  Thank you for the suggestion and input.
Original Message:
Sent: Oct 25, 2022 10:23 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

I can try this, but our network is /24 not /32.  What is bugging me the most is the fact I can't access it from another VLAN but if I'm on the same 211 VLAN I can access it.
Original Message:
Sent: Oct 25, 2022 02:19 AM
From: Ulises Cazares
Subject: Restrict access to Network Team static IPs only

Hi, I think the issue is that you'are using /24 in your statements instead of /32 that is used for a single IP.

Try changind the statement to /32 and let us know.

I hope this helps
Original Message:
Sent: Oct 24, 2022 11:20 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

Thank you for this.  I added the following with no new results:

80 deny any any {IP of my switch}

This is the ip of VLAN 1

I can't access the switch while on wifi but I can from a different pc on the same network as my laptop (VLAN 211)
Original Message:
Sent: Oct 24, 2022 10:00 AM
From: Herman Robers
Subject: Restrict access to Network Team static IPs only

Please check this post. One difference there is that the ACL is also applied to the mgmt VRF, other is that with this ACL you block all SSH and HTTPS traffic across the default VRF, because you do a deny to any in lines 40-70, not just to the switch IP.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Oct 24, 2022 09:30 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

I am wanting to restrict access to our OS-CX line switches (Aruba 6300) to just our Network Support team's laptops, their assigned VMs and our Orion server for SNMP.   I created an ACL on the VRF for SSH and HTTPS for the 6 workstations plus our Orion server on one of our 6 closets as a test (that closet is on VLAN 111 instead of the VLAN 211).  When I go to test this I can access the switch stack from my laptop with a static IP of 211.23 and can access it from my VM with a static of 152.11 and I am unable to access it via WiFi (VLAN 22), however I go to another workstation on VLAN 211 and I can access it.  Does the ACL to the VRF only restrict by networks and not single IPs?  I wanted to test on this closet first as it has the least number of connections and I don't have another OS-CX switch in my lab to test with.  If I can verify this works, I will copy it to our Core switches too.

Hi, I think it should work.

Are you sure is applied to the control plane and in the correct VRF?



Original Message:
Sent: Oct 31, 2022 09:09 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

Here is the current Access-Lists on the 8325.  The Network_Team_Access is a copy / paste from the 6300s.
Original Message:
Sent: Oct 27, 2022 10:02 AM
From: Ulises Cazares
Subject: Restrict access to Network Team static IPs only

Hi, Can you show us the applied ACL in the 8325?


Original Message:
Sent: Oct 26, 2022 03:59 PM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

One last follow-up question.  I copied this ACL to our 8325 core switches and it shows applied, however I can still access the switch from another computer on that VLAN, is there something different between the 8325 and the 6300 that this ACL works on?
Original Message:
Sent: Oct 26, 2022 10:54 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

Changing the netmask to /32 worked.   I am still green to networking and didn't fully understand why you suggested the /32 but I get it now.  The /32 only allows that one host instead of the entire network.  Thank you for the suggestion and input.
Original Message:
Sent: Oct 25, 2022 10:23 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

I can try this, but our network is /24 not /32.  What is bugging me the most is the fact I can't access it from another VLAN but if I'm on the same 211 VLAN I can access it.
Original Message:
Sent: Oct 25, 2022 02:19 AM
From: Ulises Cazares
Subject: Restrict access to Network Team static IPs only

Hi, I think the issue is that you'are using /24 in your statements instead of /32 that is used for a single IP.

Try changind the statement to /32 and let us know.

I hope this helps
Original Message:
Sent: Oct 24, 2022 11:20 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

Thank you for this.  I added the following with no new results:

80 deny any any {IP of my switch}

This is the ip of VLAN 1

I can't access the switch while on wifi but I can from a different pc on the same network as my laptop (VLAN 211)
Original Message:
Sent: Oct 24, 2022 10:00 AM
From: Herman Robers
Subject: Restrict access to Network Team static IPs only

Please check this post. One difference there is that the ACL is also applied to the mgmt VRF, other is that with this ACL you block all SSH and HTTPS traffic across the default VRF, because you do a deny to any in lines 40-70, not just to the switch IP.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Oct 24, 2022 09:30 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

I am wanting to restrict access to our OS-CX line switches (Aruba 6300) to just our Network Support team's laptops, their assigned VMs and our Orion server for SNMP.   I created an ACL on the VRF for SSH and HTTPS for the 6 workstations plus our Orion server on one of our 6 closets as a test (that closet is on VLAN 111 instead of the VLAN 211).  When I go to test this I can access the switch stack from my laptop with a static IP of 211.23 and can access it from my VM with a static of 152.11 and I am unable to access it via WiFi (VLAN 22), however I go to another workstation on VLAN 211 and I can access it.  Does the ACL to the VRF only restrict by networks and not single IPs?  I wanted to test on this closet first as it has the least number of connections and I don't have another OS-CX switch in my lab to test with.  If I can verify this works, I will copy it to our Core switches too.

I'm running this command after the ACL - apply access-list ip Network_Team_Access control-plane vrf default

Attached are the VRFs on this switch.

Original Message:
Sent: Oct 31, 2022 11:55 AM
From: Ulises Cazares
Subject: Restrict access to Network Team static IPs only

Hi, I think it should work.

Are you sure is applied to the control plane and in the correct VRF?



Original Message:
Sent: Oct 31, 2022 09:09 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

Here is the current Access-Lists on the 8325.  The Network_Team_Access is a copy / paste from the 6300s.
Original Message:
Sent: Oct 27, 2022 10:02 AM
From: Ulises Cazares
Subject: Restrict access to Network Team static IPs only

Hi, Can you show us the applied ACL in the 8325?


Original Message:
Sent: Oct 26, 2022 03:59 PM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

One last follow-up question.  I copied this ACL to our 8325 core switches and it shows applied, however I can still access the switch from another computer on that VLAN, is there something different between the 8325 and the 6300 that this ACL works on?
Original Message:
Sent: Oct 26, 2022 10:54 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

Changing the netmask to /32 worked.   I am still green to networking and didn't fully understand why you suggested the /32 but I get it now.  The /32 only allows that one host instead of the entire network.  Thank you for the suggestion and input.
Original Message:
Sent: Oct 25, 2022 10:23 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

I can try this, but our network is /24 not /32.  What is bugging me the most is the fact I can't access it from another VLAN but if I'm on the same 211 VLAN I can access it.
Original Message:
Sent: Oct 25, 2022 02:19 AM
From: Ulises Cazares
Subject: Restrict access to Network Team static IPs only

Hi, I think the issue is that you'are using /24 in your statements instead of /32 that is used for a single IP.

Try changind the statement to /32 and let us know.

I hope this helps
Original Message:
Sent: Oct 24, 2022 11:20 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

Thank you for this.  I added the following with no new results:

80 deny any any {IP of my switch}

This is the ip of VLAN 1

I can't access the switch while on wifi but I can from a different pc on the same network as my laptop (VLAN 211)
Original Message:
Sent: Oct 24, 2022 10:00 AM
From: Herman Robers
Subject: Restrict access to Network Team static IPs only

Please check this post. One difference there is that the ACL is also applied to the mgmt VRF, other is that with this ACL you block all SSH and HTTPS traffic across the default VRF, because you do a deny to any in lines 40-70, not just to the switch IP.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Oct 24, 2022 09:30 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

I am wanting to restrict access to our OS-CX line switches (Aruba 6300) to just our Network Support team's laptops, their assigned VMs and our Orion server for SNMP.   I created an ACL on the VRF for SSH and HTTPS for the 6 workstations plus our Orion server on one of our 6 closets as a test (that closet is on VLAN 111 instead of the VLAN 211).  When I go to test this I can access the switch stack from my laptop with a static IP of 211.23 and can access it from my VM with a static of 152.11 and I am unable to access it via WiFi (VLAN 22), however I go to another workstation on VLAN 211 and I can access it.  Does the ACL to the VRF only restrict by networks and not single IPs?  I wanted to test on this closet first as it has the least number of connections and I don't have another OS-CX switch in my lab to test with.  If I can verify this works, I will copy it to our Core switches too.

Hi.

Do you see that line ("apply access-list...") when you do a "show run"? 

What version is your 8325?
Original Message:
Sent: Oct 31, 2022 02:07 PM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

I'm running this command after the ACL - apply access-list ip Network_Team_Access control-plane vrf default

Attached are the VRFs on this switch.

Original Message:
Sent: Oct 31, 2022 11:55 AM
From: Ulises Cazares
Subject: Restrict access to Network Team static IPs only

Hi, I think it should work.

Are you sure is applied to the control plane and in the correct VRF?



Original Message:
Sent: Oct 31, 2022 09:09 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

Here is the current Access-Lists on the 8325.  The Network_Team_Access is a copy / paste from the 6300s.
Original Message:
Sent: Oct 27, 2022 10:02 AM
From: Ulises Cazares
Subject: Restrict access to Network Team static IPs only

Hi, Can you show us the applied ACL in the 8325?


Original Message:
Sent: Oct 26, 2022 03:59 PM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

One last follow-up question.  I copied this ACL to our 8325 core switches and it shows applied, however I can still access the switch from another computer on that VLAN, is there something different between the 8325 and the 6300 that this ACL works on?
Original Message:
Sent: Oct 26, 2022 10:54 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

Changing the netmask to /32 worked.   I am still green to networking and didn't fully understand why you suggested the /32 but I get it now.  The /32 only allows that one host instead of the entire network.  Thank you for the suggestion and input.
Original Message:
Sent: Oct 25, 2022 10:23 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

I can try this, but our network is /24 not /32.  What is bugging me the most is the fact I can't access it from another VLAN but if I'm on the same 211 VLAN I can access it.
Original Message:
Sent: Oct 25, 2022 02:19 AM
From: Ulises Cazares
Subject: Restrict access to Network Team static IPs only

Hi, I think the issue is that you'are using /24 in your statements instead of /32 that is used for a single IP.

Try changind the statement to /32 and let us know.

I hope this helps
Original Message:
Sent: Oct 24, 2022 11:20 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

Thank you for this.  I added the following with no new results:

80 deny any any {IP of my switch}

This is the ip of VLAN 1

I can't access the switch while on wifi but I can from a different pc on the same network as my laptop (VLAN 211)
Original Message:
Sent: Oct 24, 2022 10:00 AM
From: Herman Robers
Subject: Restrict access to Network Team static IPs only

Please check this post. One difference there is that the ACL is also applied to the mgmt VRF, other is that with this ACL you block all SSH and HTTPS traffic across the default VRF, because you do a deny to any in lines 40-70, not just to the switch IP.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Oct 24, 2022 09:30 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

I am wanting to restrict access to our OS-CX line switches (Aruba 6300) to just our Network Support team's laptops, their assigned VMs and our Orion server for SNMP.   I created an ACL on the VRF for SSH and HTTPS for the 6 workstations plus our Orion server on one of our 6 closets as a test (that closet is on VLAN 111 instead of the VLAN 211).  When I go to test this I can access the switch stack from my laptop with a static IP of 211.23 and can access it from my VM with a static of 152.11 and I am unable to access it via WiFi (VLAN 22), however I go to another workstation on VLAN 211 and I can access it.  Does the ACL to the VRF only restrict by networks and not single IPs?  I wanted to test on this closet first as it has the least number of connections and I don't have another OS-CX switch in my lab to test with.  If I can verify this works, I will copy it to our Core switches too.

Yes, that line does appear in my running-config.   

ArubaOS-CX
(c) Copyright 2017-2022 Hewlett Packard Enterprise Development LP
-----------------------------------------------------------------------------
Version : GL.10.09.1010
Build Date : 2022-03-10 23:10:12 UTC
Build ID : ArubaOS-CX:GL.10.09.1010:8514a9c2b904:202203102216
Build SHA : 8514a9c2b90406b241fea9565f76d0da78a9577b
Active Image : primary

Service OS Version : GL.01.08.0002
BIOS Version : GL-01-0013
Original Message:
Sent: Oct 31, 2022 05:05 PM
From: Ulises Cazares
Subject: Restrict access to Network Team static IPs only

Hi.

Do you see that line ("apply access-list...") when you do a "show run"?

What version is your 8325?
Original Message:
Sent: Oct 31, 2022 02:07 PM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

I'm running this command after the ACL - apply access-list ip Network_Team_Access control-plane vrf default

Attached are the VRFs on this switch.

Original Message:
Sent: Oct 31, 2022 11:55 AM
From: Ulises Cazares
Subject: Restrict access to Network Team static IPs only

Hi, I think it should work.

Are you sure is applied to the control plane and in the correct VRF?



Original Message:
Sent: Oct 31, 2022 09:09 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

Here is the current Access-Lists on the 8325.  The Network_Team_Access is a copy / paste from the 6300s.
Original Message:
Sent: Oct 27, 2022 10:02 AM
From: Ulises Cazares
Subject: Restrict access to Network Team static IPs only

Hi, Can you show us the applied ACL in the 8325?


Original Message:
Sent: Oct 26, 2022 03:59 PM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

One last follow-up question.  I copied this ACL to our 8325 core switches and it shows applied, however I can still access the switch from another computer on that VLAN, is there something different between the 8325 and the 6300 that this ACL works on?
Original Message:
Sent: Oct 26, 2022 10:54 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

Changing the netmask to /32 worked.   I am still green to networking and didn't fully understand why you suggested the /32 but I get it now.  The /32 only allows that one host instead of the entire network.  Thank you for the suggestion and input.
Original Message:
Sent: Oct 25, 2022 10:23 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

I can try this, but our network is /24 not /32.  What is bugging me the most is the fact I can't access it from another VLAN but if I'm on the same 211 VLAN I can access it.
Original Message:
Sent: Oct 25, 2022 02:19 AM
From: Ulises Cazares
Subject: Restrict access to Network Team static IPs only

Hi, I think the issue is that you'are using /24 in your statements instead of /32 that is used for a single IP.

Try changind the statement to /32 and let us know.

I hope this helps
Original Message:
Sent: Oct 24, 2022 11:20 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

Thank you for this.  I added the following with no new results:

80 deny any any {IP of my switch}

This is the ip of VLAN 1

I can't access the switch while on wifi but I can from a different pc on the same network as my laptop (VLAN 211)
Original Message:
Sent: Oct 24, 2022 10:00 AM
From: Herman Robers
Subject: Restrict access to Network Team static IPs only

Please check this post. One difference there is that the ACL is also applied to the mgmt VRF, other is that with this ACL you block all SSH and HTTPS traffic across the default VRF, because you do a deny to any in lines 40-70, not just to the switch IP.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Oct 24, 2022 09:30 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

I am wanting to restrict access to our OS-CX line switches (Aruba 6300) to just our Network Support team's laptops, their assigned VMs and our Orion server for SNMP.   I created an ACL on the VRF for SSH and HTTPS for the 6 workstations plus our Orion server on one of our 6 closets as a test (that closet is on VLAN 111 instead of the VLAN 211).  When I go to test this I can access the switch stack from my laptop with a static IP of 211.23 and can access it from my VM with a static of 152.11 and I am unable to access it via WiFi (VLAN 22), however I go to another workstation on VLAN 211 and I can access it.  Does the ACL to the VRF only restrict by networks and not single IPs?  I wanted to test on this closet first as it has the least number of connections and I don't have another OS-CX switch in my lab to test with.  If I can verify this works, I will copy it to our Core switches too.

It's almost like the switch is ignoring the ACL completely because I can access the CLI or GUI from any subnet on our network.  I thought maybe it was ignoring the control-plane ACL because there was another Access-List, but my 6300 switches have a second Access-List on them too, but not the same name as the one on the 8325 and everything is working as I wanted on the 6300s.
Original Message:
Sent: Nov 01, 2022 08:58 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

Yes, that line does appear in my running-config.

ArubaOS-CX
(c) Copyright 2017-2022 Hewlett Packard Enterprise Development LP
-----------------------------------------------------------------------------
Version : GL.10.09.1010
Build Date : 2022-03-10 23:10:12 UTC
Build ID : ArubaOS-CX:GL.10.09.1010:8514a9c2b904:202203102216
Build SHA : 8514a9c2b90406b241fea9565f76d0da78a9577b
Active Image : primary

Service OS Version : GL.01.08.0002
BIOS Version : GL-01-0013
Original Message:
Sent: Oct 31, 2022 05:05 PM
From: Ulises Cazares
Subject: Restrict access to Network Team static IPs only

Hi.

Do you see that line ("apply access-list...") when you do a "show run"?

What version is your 8325?
Original Message:
Sent: Oct 31, 2022 02:07 PM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

I'm running this command after the ACL - apply access-list ip Network_Team_Access control-plane vrf default

Attached are the VRFs on this switch.

Original Message:
Sent: Oct 31, 2022 11:55 AM
From: Ulises Cazares
Subject: Restrict access to Network Team static IPs only

Hi, I think it should work.

Are you sure is applied to the control plane and in the correct VRF?



Original Message:
Sent: Oct 31, 2022 09:09 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

Here is the current Access-Lists on the 8325.  The Network_Team_Access is a copy / paste from the 6300s.
Original Message:
Sent: Oct 27, 2022 10:02 AM
From: Ulises Cazares
Subject: Restrict access to Network Team static IPs only

Hi, Can you show us the applied ACL in the 8325?


Original Message:
Sent: Oct 26, 2022 03:59 PM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

One last follow-up question.  I copied this ACL to our 8325 core switches and it shows applied, however I can still access the switch from another computer on that VLAN, is there something different between the 8325 and the 6300 that this ACL works on?
Original Message:
Sent: Oct 26, 2022 10:54 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

Changing the netmask to /32 worked.   I am still green to networking and didn't fully understand why you suggested the /32 but I get it now.  The /32 only allows that one host instead of the entire network.  Thank you for the suggestion and input.
Original Message:
Sent: Oct 25, 2022 10:23 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

I can try this, but our network is /24 not /32.  What is bugging me the most is the fact I can't access it from another VLAN but if I'm on the same 211 VLAN I can access it.
Original Message:
Sent: Oct 25, 2022 02:19 AM
From: Ulises Cazares
Subject: Restrict access to Network Team static IPs only

Hi, I think the issue is that you'are using /24 in your statements instead of /32 that is used for a single IP.

Try changind the statement to /32 and let us know.

I hope this helps
Original Message:
Sent: Oct 24, 2022 11:20 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

Thank you for this.  I added the following with no new results:

80 deny any any {IP of my switch}

This is the ip of VLAN 1

I can't access the switch while on wifi but I can from a different pc on the same network as my laptop (VLAN 211)
Original Message:
Sent: Oct 24, 2022 10:00 AM
From: Herman Robers
Subject: Restrict access to Network Team static IPs only

Please check this post. One difference there is that the ACL is also applied to the mgmt VRF, other is that with this ACL you block all SSH and HTTPS traffic across the default VRF, because you do a deny to any in lines 40-70, not just to the switch IP.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Oct 24, 2022 09:30 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

I am wanting to restrict access to our OS-CX line switches (Aruba 6300) to just our Network Support team's laptops, their assigned VMs and our Orion server for SNMP.   I created an ACL on the VRF for SSH and HTTPS for the 6 workstations plus our Orion server on one of our 6 closets as a test (that closet is on VLAN 111 instead of the VLAN 211).  When I go to test this I can access the switch stack from my laptop with a static IP of 211.23 and can access it from my VM with a static of 152.11 and I am unable to access it via WiFi (VLAN 22), however I go to another workstation on VLAN 211 and I can access it.  Does the ACL to the VRF only restrict by networks and not single IPs?  I wanted to test on this closet first as it has the least number of connections and I don't have another OS-CX switch in my lab to test with.  If I can verify this works, I will copy it to our Core switches too.

Hi, I think is time to give TAC a call.

Original Message:
Sent: Nov 03, 2022 09:13 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

It's almost like the switch is ignoring the ACL completely because I can access the CLI or GUI from any subnet on our network.  I thought maybe it was ignoring the control-plane ACL because there was another Access-List, but my 6300 switches have a second Access-List on them too, but not the same name as the one on the 8325 and everything is working as I wanted on the 6300s.
Original Message:
Sent: Nov 01, 2022 08:58 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

Yes, that line does appear in my running-config.

ArubaOS-CX
(c) Copyright 2017-2022 Hewlett Packard Enterprise Development LP
-----------------------------------------------------------------------------
Version : GL.10.09.1010
Build Date : 2022-03-10 23:10:12 UTC
Build ID : ArubaOS-CX:GL.10.09.1010:8514a9c2b904:202203102216
Build SHA : 8514a9c2b90406b241fea9565f76d0da78a9577b
Active Image : primary

Service OS Version : GL.01.08.0002
BIOS Version : GL-01-0013
Original Message:
Sent: Oct 31, 2022 05:05 PM
From: Ulises Cazares
Subject: Restrict access to Network Team static IPs only

Hi.

Do you see that line ("apply access-list...") when you do a "show run"?

What version is your 8325?
Original Message:
Sent: Oct 31, 2022 02:07 PM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

I'm running this command after the ACL - apply access-list ip Network_Team_Access control-plane vrf default

Attached are the VRFs on this switch.

Original Message:
Sent: Oct 31, 2022 11:55 AM
From: Ulises Cazares
Subject: Restrict access to Network Team static IPs only

Hi, I think it should work.

Are you sure is applied to the control plane and in the correct VRF?



Original Message:
Sent: Oct 31, 2022 09:09 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

Here is the current Access-Lists on the 8325.  The Network_Team_Access is a copy / paste from the 6300s.
Original Message:
Sent: Oct 27, 2022 10:02 AM
From: Ulises Cazares
Subject: Restrict access to Network Team static IPs only

Hi, Can you show us the applied ACL in the 8325?


Original Message:
Sent: Oct 26, 2022 03:59 PM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

One last follow-up question.  I copied this ACL to our 8325 core switches and it shows applied, however I can still access the switch from another computer on that VLAN, is there something different between the 8325 and the 6300 that this ACL works on?
Original Message:
Sent: Oct 26, 2022 10:54 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

Changing the netmask to /32 worked.   I am still green to networking and didn't fully understand why you suggested the /32 but I get it now.  The /32 only allows that one host instead of the entire network.  Thank you for the suggestion and input.
Original Message:
Sent: Oct 25, 2022 10:23 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

I can try this, but our network is /24 not /32.  What is bugging me the most is the fact I can't access it from another VLAN but if I'm on the same 211 VLAN I can access it.
Original Message:
Sent: Oct 25, 2022 02:19 AM
From: Ulises Cazares
Subject: Restrict access to Network Team static IPs only

Hi, I think the issue is that you'are using /24 in your statements instead of /32 that is used for a single IP.

Try changind the statement to /32 and let us know.

I hope this helps
Original Message:
Sent: Oct 24, 2022 11:20 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

Thank you for this.  I added the following with no new results:

80 deny any any {IP of my switch}

This is the ip of VLAN 1

I can't access the switch while on wifi but I can from a different pc on the same network as my laptop (VLAN 211)
Original Message:
Sent: Oct 24, 2022 10:00 AM
From: Herman Robers
Subject: Restrict access to Network Team static IPs only

Please check this post. One difference there is that the ACL is also applied to the mgmt VRF, other is that with this ACL you block all SSH and HTTPS traffic across the default VRF, because you do a deny to any in lines 40-70, not just to the switch IP.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Oct 24, 2022 09:30 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

I am wanting to restrict access to our OS-CX line switches (Aruba 6300) to just our Network Support team's laptops, their assigned VMs and our Orion server for SNMP.   I created an ACL on the VRF for SSH and HTTPS for the 6 workstations plus our Orion server on one of our 6 closets as a test (that closet is on VLAN 111 instead of the VLAN 211).  When I go to test this I can access the switch stack from my laptop with a static IP of 211.23 and can access it from my VM with a static of 152.11 and I am unable to access it via WiFi (VLAN 22), however I go to another workstation on VLAN 211 and I can access it.  Does the ACL to the VRF only restrict by networks and not single IPs?  I wanted to test on this closet first as it has the least number of connections and I don't have another OS-CX switch in my lab to test with.  If I can verify this works, I will copy it to our Core switches too.

I called and uploaded my config to them. They noticed there was no default vrf in the running confog and suggested i apply the control-plane to the mgmt vrf and that worked. I should have updated this thread a few days ago when TAC responded. Thanks to all that helped me with this.
Original Message:
Sent: Nov 11, 2022 06:29 PM
From: Ulises Cazares
Subject: Restrict access to Network Team static IPs only

Hi, I think is time to give TAC a call.

Original Message:
Sent: Nov 03, 2022 09:13 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

It's almost like the switch is ignoring the ACL completely because I can access the CLI or GUI from any subnet on our network.  I thought maybe it was ignoring the control-plane ACL because there was another Access-List, but my 6300 switches have a second Access-List on them too, but not the same name as the one on the 8325 and everything is working as I wanted on the 6300s.
Original Message:
Sent: Nov 01, 2022 08:58 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

Yes, that line does appear in my running-config.

ArubaOS-CX
(c) Copyright 2017-2022 Hewlett Packard Enterprise Development LP
-----------------------------------------------------------------------------
Version : GL.10.09.1010
Build Date : 2022-03-10 23:10:12 UTC
Build ID : ArubaOS-CX:GL.10.09.1010:8514a9c2b904:202203102216
Build SHA : 8514a9c2b90406b241fea9565f76d0da78a9577b
Active Image : primary

Service OS Version : GL.01.08.0002
BIOS Version : GL-01-0013
Original Message:
Sent: Oct 31, 2022 05:05 PM
From: Ulises Cazares
Subject: Restrict access to Network Team static IPs only

Hi.

Do you see that line ("apply access-list...") when you do a "show run"?

What version is your 8325?
Original Message:
Sent: Oct 31, 2022 02:07 PM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

I'm running this command after the ACL - apply access-list ip Network_Team_Access control-plane vrf default

Attached are the VRFs on this switch.

Original Message:
Sent: Oct 31, 2022 11:55 AM
From: Ulises Cazares
Subject: Restrict access to Network Team static IPs only

Hi, I think it should work.

Are you sure is applied to the control plane and in the correct VRF?



Original Message:
Sent: Oct 31, 2022 09:09 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

Here is the current Access-Lists on the 8325.  The Network_Team_Access is a copy / paste from the 6300s.
Original Message:
Sent: Oct 27, 2022 10:02 AM
From: Ulises Cazares
Subject: Restrict access to Network Team static IPs only

Hi, Can you show us the applied ACL in the 8325?


Original Message:
Sent: Oct 26, 2022 03:59 PM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

One last follow-up question.  I copied this ACL to our 8325 core switches and it shows applied, however I can still access the switch from another computer on that VLAN, is there something different between the 8325 and the 6300 that this ACL works on?
Original Message:
Sent: Oct 26, 2022 10:54 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

Changing the netmask to /32 worked.   I am still green to networking and didn't fully understand why you suggested the /32 but I get it now.  The /32 only allows that one host instead of the entire network.  Thank you for the suggestion and input.
Original Message:
Sent: Oct 25, 2022 10:23 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

I can try this, but our network is /24 not /32.  What is bugging me the most is the fact I can't access it from another VLAN but if I'm on the same 211 VLAN I can access it.
Original Message:
Sent: Oct 25, 2022 02:19 AM
From: Ulises Cazares
Subject: Restrict access to Network Team static IPs only

Hi, I think the issue is that you'are using /24 in your statements instead of /32 that is used for a single IP.

Try changind the statement to /32 and let us know.

I hope this helps
Original Message:
Sent: Oct 24, 2022 11:20 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

Thank you for this.  I added the following with no new results:

80 deny any any {IP of my switch}

This is the ip of VLAN 1

I can't access the switch while on wifi but I can from a different pc on the same network as my laptop (VLAN 211)
Original Message:
Sent: Oct 24, 2022 10:00 AM
From: Herman Robers
Subject: Restrict access to Network Team static IPs only

Please check this post. One difference there is that the ACL is also applied to the mgmt VRF, other is that with this ACL you block all SSH and HTTPS traffic across the default VRF, because you do a deny to any in lines 40-70, not just to the switch IP.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Oct 24, 2022 09:30 AM
From: Leigh Weems
Subject: Restrict access to Network Team static IPs only

I am wanting to restrict access to our OS-CX line switches (Aruba 6300) to just our Network Support team's laptops, their assigned VMs and our Orion server for SNMP.   I created an ACL on the VRF for SSH and HTTPS for the 6 workstations plus our Orion server on one of our 6 closets as a test (that closet is on VLAN 111 instead of the VLAN 211).  When I go to test this I can access the switch stack from my laptop with a static IP of 211.23 and can access it from my VM with a static of 152.11 and I am unable to access it via WiFi (VLAN 22), however I go to another workstation on VLAN 211 and I can access it.  Does the ACL to the VRF only restrict by networks and not single IPs?  I wanted to test on this closet first as it has the least number of connections and I don't have another OS-CX switch in my lab to test with.  If I can verify this works, I will copy it to our Core switches too.